Q: DHS found some vulnerable applications, should I be worried?
A: No. Vulnerable applications are simply applications that a
local attacker could abuse to perform malicious actions in a stealthy manner. For example, such an attacker could target a vulnerable application that is automatically started by the OS, to gain persistence (by simply planting a malicious dynamic library). It is important to understand that in order to abuse a vulnerable application, an attacker would have to already have compromised your computer. At this point, all bets are off anyways.
Q: Are there patches available for the vulnerable applications?
A: Due to the fact dylib hijacks abuse legitimate functionality of the core OS, there are not any per-application patches available. In the future, Apple may introduce OS-level security features, such as requiring all libraries to be signed, which may mitigate this attack.
Q: DHS found an hijacked application, now what?
A: First off, don't freak out - especially if the type of hijack is weak. Without getting into the (boring) technical details, there may be legitimate scenarios that cannot be differentiated from a malicious hijack. To err on the side of caution, DHS is tuned to report false positives instead of false negatives. If a potential hijack is detected, there are several options that may determine if the hijacker dlyib is malicious. First, check if the flagged dynamic library (whose path is reported in the light gray sub-text of the row) is on the
list of known false positives. If not, perhaps submit the dylib to
VirusTotal, which will scan the file with a myriad of anti-virus engines. If you are still concerned, perhaps google the hash of the file, run strings on it, or
email me and attach the flagged file :)